A quickly spreading worm on Tumblr has caused media companies The Verge, Reuters, and a large number of other account holders to publish a post laced with racist epithets and other offensive content.

The stunt, attributed to long-time Internet trolling collective GNAA, caused affected Tumblr accounts to display the post. People who viewed the post while logged into Tumblr were in turn forced to publish the offensive content, causing the attack to spread virally according to security researchers. More than 86,000 accounts were affected, according to unconfirmed claims from GNAA members. Tumblr issued a statement saying site engineers are working to combat a "viral post circulating on Tumblr." It advised anyone who has viewed the post to immediately log out of all browsers that may be logged in. Update: Later in the day the company said engineers had resolved the problem.

According to researchers at antivirus provider Sophos, the GNAA post spread by including malicious code that exploited weaknesses in Tumblr's reblogging feature. A coding tag contained in the post linked to malicious code on another website. The JavaScript exploit, which was included in an iframe tag that pointed to an outside website, used what is known as base-64 encoding. It's a technique that compresses uses printable ASCII characters to represent large chunks of binary data and has the benefit of making it harder to know exactly how a script will behave when executed.

"It shouldn't have been possible for someone to post such malicious JavaScript into a Tumblr post," Sophos Senior Technology Consultant Graham Cluley wrote. "Our assumption is that the attackers managed to skirt around Tumblr's defenses by disguising their code through Base 64 encoding and embedding it in a data URI."

It's unclear how the worm was able to spread so rapidly, but one theory that couldn't be ruled out as of the time of this writing is the possibility of an XSS hole found on Tumblr's site. Short for cross-site scripting, XSS techniques allow attackers to inject browser code of their choice into websites that are trusted by millions of users. In turn, miscreants can exploit XSS holes to perform drive-by malware installations, steal Web authentication credentials, post unauthorized content, or carry out other tasks not intended or initiated by the end user.

Assuming the Tumblr worm did exploit an XSS vulnerability in one of its Web applications, it wouldn't be the first time a social media site was hit by such an attack. In April 2009, Twitter was struck by a series of powerful, self-replicating exploits that caused accounts to flood the micro-blogging site with tens of thousands of messages simply by viewing booby-trapped user profiles. The most notorious self-replicating attack to hit social media was the Samy worm of 2005. It knocked MySpace out of commission when it added more than one million MySpace friends to a user named Samy. The author, one Samy Kamkar, was later convicted for the stunt.

According to Gizmodo, the malicious posting can be easily removed from infected accounts using the Tumblr mass editor. The site also recommends affected users change their account password, a measure that's probably not necessary, but wise considering Tumblr researchers have yet to offer a complete analysis of the attack.

Kind of sad really; because these "hacks" do need some intelligence/brains behind them and are not that easy to do, but once accomplished they go "hurr durr, niggars niglets fags gays kill mame haha"

Not really. This was a very simple attack, anybody could have figured it out with enough free time on their hands.

Say what you want about script kiddies, they certainly have plenty of free time.

I hope someone at tumblr gets a slap on the wrist, it's their fault for allowing the vulnerability in the first place, they're the real person to blame. Everyone should consider themselves lucky this just posted some racial crap instead of installing credit card stealing malware.

I think you don't even need XSS in this case, since most tumblr blogs are running on the same domain name, any script on any single blog will have authority to access all other tumblr blogs, including the ones run by random visitors. Allowing javascript embedded in a blog post is bad. There's no excuse for it.

The JavaScript exploit, which was included in an iframe tag that pointed to an outside website, used what is known as base-64 encoding. It's a technique that compresses large chunks of code and has the benefit of making it harder to know exactly how a script will behave when executed.

Actually, base64 doesn't compress: it rather expands. In the old days, characters were encoded on 8 bits, but the ASCII standard only used 7 bits. This lead to some divergence among developers: some used that last bit to make up a hundred more characters (creating the myriad of different encodings we had to deal with until Unicode really took over), and some chose to ignore languages that need more than just ASCII characters, and use that last bit to encode metadata (like signaling that a character is the last character of a word). And as it happened, some of these developers also programmed mail servers. This made said mail servers incompatible with encodings that did use the last character bit, because they thought that it meant something special.

To work around that, people came up with base64, which encodes data of any kind into purely ASCII characters. Not just purely ASCII characters (because those include more weird characters and control characters that are not suitable in e-mail either), but 64 definitely harmless characters. This means that base64 encodes 8-bit values on 6-bit code points. This means, in turn, that every byte triplet is encoded on four bytes in base64, making data 4/3 as big as it was before encoding.

But yeah, it does make any text utterly unreadable.

Also, I've probably screwed with these/those. English is not my first language (but even if it was, apparently, not a lot of people get it right anyways).

Could someone explain a little about how the worm actually worked? I can see how the base64 encoding could be used as a way to sneak JS into a post that would then be executed by the user's browser. Presumably this JS submitted an AJAX request to Tumblr to repost the GNAA post. But how did the iframe enter into the picture? Wouldn't most browsers' same origin policy enforcement prevent any scripts loaded through the iframe from accessing anything in the Tumblr page DOM? And why would you need the iframe if you could execute any JS you wanted via the base64 trick?

I'm a novice when it comes to this stuff so maybe I'm just missing something simple.